KISS committed credentials goodbye

I write mainly for iOS, and I want something as lightweight and simple as possible to simply replace templated strings in my codebase with the appropriate values. I’ve used cocoapods-keys for some time, and it fulfills its use case very well, but it only works on secrets that are used in your application’s executable code. This means any sort of build environment tools (like Xcode Build Phase scripts) that require secrets, or things that want to use Plists, won’t be able to use it.

SED it and forget it

I wrote a script to do a basic search-and-replace throughout a codebase and swap template values for actual credentials. The template values are enumerated in a file that you commit to your codebase, paired with another file that contains the actual secret values, in .psst/keys and .psst/values respectively. The separation makes gitignoring the secret values file easy. If no secret values file exists, the script will try to expand environment variables of the same name, a common workflow for CI setups. (Optionally, a path to a keychain can be supplied, if you prefer to check in your secrets to the codebase in a securely encrypted file.) It will then iterate through the keys with secrets in hand and perform the replacements.

In case of emergency, don’t break, continue

OK, mistakes happen. This is a software tool, and it’s being used by humans. If you find you’ve still accidentally committed sensitive data to your codebase and pushed, it’s out there forever. Don’t bother trying to rewrite your git history–immediately rotate that credential!